The golden rule of Web application security is to never trust data from
untrusted sources. Sometimes it can be useful to pass data through an
untrusted medium. Cryptographically signed values can be passed through an
untrusted channel safe in the knowledge that any tampering will be detected.

Django provides both a low-level API for signing values and a high-level API
for setting and reading signed cookies, one of the most common uses of
signing in Web applications.

You may also find signing useful for the following:

Generating “recover my account” URLs for sending to users who have
lost their password.

Ensuring data stored in hidden form fields has not been tampered with.

Generating one-time secret URLs for allowing temporary access to a
protected resource, for example a downloadable file that a user has
paid for.

When you create a new Django project using startproject, the
settings.py file is generated automatically and gets a random
SECRET_KEY value. This value is the key to securing signed
data – it is vital you keep this secure, or attackers could use it to
generate their own signed values.

Returns a signer which uses key to generate signatures and sep to
separate values. sep cannot be in the URL safe base64 alphabet. This alphabet contains
alphanumeric characters, hyphens, and underscores.

If you do not wish for every occurrence of a particular string to have the same
signature hash, you can use the optional salt argument to the Signer
class. Using a salt will seed the signing hash function with both the salt and
your SECRET_KEY:

Using salt in this way puts the different signatures into different
namespaces. A signature that comes from one namespace (a particular salt
value) cannot be used to validate the same plaintext string in a different
namespace that is using a different salt setting. The result is to prevent an
attacker from using a signed string generated in one place in the code as input
to another piece of code that is generating (and verifying) signatures using a
different salt.

If you wish to protect a list, tuple or dictionary you can do so using the
signing module’s dumps and loads functions. These imitate Python’s
pickle module, but use JSON serialization under the hood. JSON ensures that
even if your SECRET_KEY is stolen an attacker will not be able
to execute arbitrary commands by exploiting the pickle format: